Do you comply with industry security regulations or corporate security policies? Download the FREE Aelita InTrust(tm) Audit Advisor to identify systems that are not compliant with industry standard security policies, such as those published by SANS and the NSA, or your company specific policies. Then check out Aelita InTrust to consolidate IT audit data and produce compliance reports for industry regulations and policies. Download your FREE tool today!
http://www.aelita.com/updateInT111302

Last week, the
Organization for the Advancement of Structured Information Standards (OASIS) approved the new Security Assertion Markup Language (SAML), which has been in development for some time. SAML uses XML to enable new Web-based security functions that interoperate across different Web sites, which will help create federated networks.

In April 2002, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security), and in the June 12, 2002, Security UPDATE commentary, I discussed WS-Security to some extent. The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), SAML, and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also announced Liberty Alliance, its effort to help develop federated network technology.

According to James Kobielus, senior analyst at Burton Group, "SAML 1.0 supports secure interchange of authentication and authorization information by leveraging the core Web services standards of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors of Web access management solutions have committed to SAML 1.0 and are currently implementing the specification in their products."

Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security Services Technical Committee, said that a major SAML design goal was single sign-on (SSO) capabilities, which would let users authenticate in one domain and access resources in another domain. SAML 1.0 includes that capability. In addition, according to Pato, "Several profiles of SAML are currently being defined that support different styles of SSO and the securing of SOAP payloads."

If you're a Web developer or you administer Web server security, you might be interested in reading about SAML assertions and protocols in a document that outlines the syntax and semantics. Another specification document can help you obtain a better understanding of how SAML works with WS-Security. That document describes how to use WS-Security headers to securely add SAML assertions.

But there's a catch regarding Microsoft's implementation of SAML. In July, "Network World Fusion" reported that Microsoft is implementing SAML 1.0, but only to a limited extent. In the article, Kobielus said, "\[Microsoft is\] not implementing the full suite of SAML assertions and profiles the way others are ... At some point you have to ask what is the purpose, if Microsoft is going to do it their own way." The article points out that Microsoft used the same tactic when the company implemented Kerberos in Windows 2000. To learn more about how Microsoft implements SAML, be sure to read the related Microsoft document, "WS-Security Profile for XML-based Tokens," on the Microsoft Web site.

Many vendors support SAML, and some of you might have begun using the technology before its official approval. Please participate in our Instant Poll this week and tell us whether you use SAML or some other credential technology for your Web applications.

A vulnerability exists in Oracle's iSQL*Plus Web-based application that lets an attacker compromise the vulnerable system and obtain system-level access. This vulnerability stems from a buffer-overflow condition in the iSQL application. The vendor, Oracle, has released Security Alert #46 to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in Oracle's alert.
http://www.secadministrator.com/articles/index.cfm?articleid=27240

DoS IN MICROSOFT WINDOWS XP AND WIN2K PPTP

A Denial of Service (DoS) vulnerability exists in Windows XP and Windows 2000 PPTP. This DoS vulnerability results from an unchecked buffer in a section of code that processes the control data used to establish, maintain, and tear down PPTP connections. The vendor, Microsoft, has released Security Bulletin MS02-063 (Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=27227

MULTIPLE VULNERABILITIES IN MICROSOFT IIS 5.1, 5.0, AND 4.0

Four new vulnerabilities exist in Microsoft IIS. The most serious problem lets an attacker escalate privileges. Another problem results in a Denial of Service (DoS) condition on the vulnerable server. The vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative Patch for Internet Information Service) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. This patch is cumulative and addresses all previously discovered vulnerabilities.
http://www.secadministrator.com/articles/index.cfm?articleid=27228

3. ANNOUNCEMENTS(brought to you by Windows & .NET Magazine and its partners)

HOW CAN YOU RECLAIM 30% TO 50% OF WINDOWS SERVER SPACE?

Attend our newest Web seminar, brought to you by Windows & .NET Magazine and Precise SRM, and discover the secrets. Steven Toole will also advise you on how to reduce storage growth and backups by 30% and how to reduce storage administration by 25% or more. Space is limited for this important Web event, so register today!
http://www.winnetmag.com/seminars/precise

In conjunction with the announcement that Windows 2000 received the highest security certification level available to an OS, Microsoft released two new guides, the "Common Criteria Evaluated Configuration User's Guide," and the "Common Criteria Evaluated Configuration Administrator's Guide," which help people configure the OS securely.
http://www.secadministrator.com/articles/index.cfm?articleid=27178

FEATURE: EVENTCOMB: IT'S FREE; IT'S ESSENTIAL; GET IT!

EventComb is a new free tool from Microsoft that lets you search event logs for specific information. EventComb is part of a Microsoft document called "Security Operations Guide for Windows 2000 Server." To obtain EventComb, you need to go to Microsoft's Web site (the URL is linked in this article) and download secops.exe. When you run secops.exe, the program creates a folder called SecurityOps. Within SecurityOps is a folder named EventComb, which contains a compiled HTML Help file and the EventComb program.
http://www.secadministrator.com/articles/index.cfm?articleid=27132

NEWS: FIRE & WATER TOOLKIT BETA AVAILABLE

NTObjectives (NTO) announced that its new Fire & Water Toolkit is now available for public beta. The toolkit is an assessment and defense tool that you can use on local and remote networks. NTO said, "Fire & Water is a collection of cohesive, interactive command-line tools that perform network discovery, mapping, assessment, and reporting, as well as robust Web server defense." By using XML output interactively, Fire & Water can effectively manage multiple scans and their resulting output through standard output in the command line, Comma Separated Value (CSV), and HTML reports (created through Extensible Style Language—XSL templates provided with the tools) or through custom report formats.
http://www.secadministrator.com/articles/index.cfm?articleid=27273

5. HOT RELEASES (ADVERTISEMENTS)

FOCUS YOUR IT RESOURCES

Learn how better infrastructure management practices can speed the integration of e-business enterprises, while providing assurance of continuous availability, flexibility and scalability. Get the IBM white paper, "Infrastructure Resource Management: A Holistic Approach," at
http://www.ibm.com/e-business/playtowin/n339

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you read the End User License Agreement (EULA) before you install new software?" Here are the results (+/

2 percent) from the 540 votes:

3% Always

19% Sometimes

31% Rarely

46% Never

NEW INSTANT POLL: USING SAML

The next Instant Poll question is, "Do you use Security Assertion Markup Language (SAML) for security in your Web applications?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, c) Not yet, but we will, d) No—We use Extensible Rights Markup Language (XrML), and e) No—We use other security technology.
http://www.secadministrator.com

7. SECURITY TOOLKIT

VIRUS CENTER

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

FAQ: HOW CAN I CLEAR MY CUSTOMIZED FOLDER SETTINGS IN WINDOWS XP?

(contributed by John Savill, http://www.windows2000faq.com)

A. To clear any customized folder settings, perform the following steps:

1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell registry subkey.
3. Delete the Bags and BagMRU subkeys.
4. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam registry subkey.
5. Delete the Bags and BagMRU subkeys.
6. Close the registry editor, then reboot the machine for the changes to take effect.

8. NEW AND IMPROVED(contributed by Judy Drennen, products@winnetmag.com)

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to
whatshot@winnetmag.com.

Featured Thread: Securing Servers Under Insecure Conditions
(Eight messages in this thread)

A user writes that he has a client who has servers located in facilities without locked rooms. Some of the servers run Windows NT 4.0 and some run Windows 2000. He wonders how to secure servers at these sites when he can't physically lock the server in a room. Read the responses or lend a hand at the following URL:
http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=49147

A user writes that he has two Windows 2000 servers. One of them is the PDC and the other is a BDC. The PDC suffered a hard drive error. He wonders how to promote the BDC to take the PDC's place. Because there are no PDCs or BDCs in Win2K, you'll want to read what other users have said or lend a hand at the following URL:http://63.88.172.96/listserv/page_listserv.asp?A2=IND0211A&L=HOWTO&P=1861

10. CONTACT US
Here's how to reach us with your comments and questions:

ABOUT IN FOCUS — mark@ntsecurity.net

ABOUT THE NEWSLETTER IN GENERAL — lettersn@winnetmag.com(please mention the newsletter name in the subject line)

Do you comply with industry security regulations or corporate security policies? Download the FREE Aelita InTrust(tm) Audit Advisor to identify systems that are not compliant with industry standard security policies, such as those published by SANS and the NSA, or your company specific policies. Then check out Aelita InTrust to consolidate IT audit data and produce compliance reports for industry regulations and policies. Download your FREE tool today!
http://www.aelita.com/updateInT111302

Last week, the
Organization for the Advancement of Structured Information Standards (OASIS) approved the new Security Assertion Markup Language (SAML), which has been in development for some time. SAML uses XML to enable new Web-based security functions that interoperate across different Web sites, which will help create federated networks.

In April 2002, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security), and in the June 12, 2002, Security UPDATE commentary, I discussed WS-Security to some extent. The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), SAML, and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also announced Liberty Alliance, its effort to help develop federated network technology.

According to James Kobielus, senior analyst at Burton Group, "SAML 1.0 supports secure interchange of authentication and authorization information by leveraging the core Web services standards of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors of Web access management solutions have committed to SAML 1.0 and are currently implementing the specification in their products."

Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security Services Technical Committee, said that a major SAML design goal was single sign-on (SSO) capabilities, which would let users authenticate in one domain and access resources in another domain. SAML 1.0 includes that capability. In addition, according to Pato, "Several profiles of SAML are currently being defined that support different styles of SSO and the securing of SOAP payloads."

If you're a Web developer or you administer Web server security, you might be interested in reading about SAML assertions and protocols in a document that outlines the syntax and semantics. Another specification document can help you obtain a better understanding of how SAML works with WS-Security. That document describes how to use WS-Security headers to securely add SAML assertions.

But there's a catch regarding Microsoft's implementation of SAML. In July, "Network World Fusion" reported that Microsoft is implementing SAML 1.0, but only to a limited extent. In the article, Kobielus said, "\[Microsoft is\] not implementing the full suite of SAML assertions and profiles the way others are ... At some point you have to ask what is the purpose, if Microsoft is going to do it their own way." The article points out that Microsoft used the same tactic when the company implemented Kerberos in Windows 2000. To learn more about how Microsoft implements SAML, be sure to read the related Microsoft document, "WS-Security Profile for XML-based Tokens," on the Microsoft Web site.

Many vendors support SAML, and some of you might have begun using the technology before its official approval. Please participate in our Instant Poll this week and tell us whether you use SAML or some other credential technology for your Web applications.

A vulnerability exists in Oracle's iSQL*Plus Web-based application that lets an attacker compromise the vulnerable system and obtain system-level access. This vulnerability stems from a buffer-overflow condition in the iSQL application. The vendor, Oracle, has released Security Alert #46 to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in Oracle's alert.
http://www.secadministrator.com/articles/index.cfm?articleid=27240

DoS IN MICROSOFT WINDOWS XP AND WIN2K PPTP

A Denial of Service (DoS) vulnerability exists in Windows XP and Windows 2000 PPTP. This DoS vulnerability results from an unchecked buffer in a section of code that processes the control data used to establish, maintain, and tear down PPTP connections. The vendor, Microsoft, has released Security Bulletin MS02-063 (Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=27227

MULTIPLE VULNERABILITIES IN MICROSOFT IIS 5.1, 5.0, AND 4.0

Four new vulnerabilities exist in Microsoft IIS. The most serious problem lets an attacker escalate privileges. Another problem results in a Denial of Service (DoS) condition on the vulnerable server. The vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative Patch for Internet Information Service) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. This patch is cumulative and addresses all previously discovered vulnerabilities.
http://www.secadministrator.com/articles/index.cfm?articleid=27228

3. ANNOUNCEMENTS(brought to you by Windows & .NET Magazine and its partners)

HOW CAN YOU RECLAIM 30% TO 50% OF WINDOWS SERVER SPACE?

Attend our newest Web seminar, brought to you by Windows & .NET Magazine and Precise SRM, and discover the secrets. Steven Toole will also advise you on how to reduce storage growth and backups by 30% and how to reduce storage administration by 25% or more. Space is limited for this important Web event, so register today!
http://www.winnetmag.com/seminars/precise

In conjunction with the announcement that Windows 2000 received the highest security certification level available to an OS, Microsoft released two new guides, the "Common Criteria Evaluated Configuration User's Guide," and the "Common Criteria Evaluated Configuration Administrator's Guide," which help people configure the OS securely.
http://www.secadministrator.com/articles/index.cfm?articleid=27178

FEATURE: EVENTCOMB: IT'S FREE; IT'S ESSENTIAL; GET IT!

EventComb is a new free tool from Microsoft that lets you search event logs for specific information. EventComb is part of a Microsoft document called "Security Operations Guide for Windows 2000 Server." To obtain EventComb, you need to go to Microsoft's Web site (the URL is linked in this article) and download secops.exe. When you run secops.exe, the program creates a folder called SecurityOps. Within SecurityOps is a folder named EventComb, which contains a compiled HTML Help file and the EventComb program.
http://www.secadministrator.com/articles/index.cfm?articleid=27132

NEWS: FIRE & WATER TOOLKIT BETA AVAILABLE

NTObjectives (NTO) announced that its new Fire & Water Toolkit is now available for public beta. The toolkit is an assessment and defense tool that you can use on local and remote networks. NTO said, "Fire & Water is a collection of cohesive, interactive command-line tools that perform network discovery, mapping, assessment, and reporting, as well as robust Web server defense." By using XML output interactively, Fire & Water can effectively manage multiple scans and their resulting output through standard output in the command line, Comma Separated Value (CSV), and HTML reports (created through Extensible Style Language—XSL templates provided with the tools) or through custom report formats.
http://www.secadministrator.com/articles/index.cfm?articleid=27273

5. HOT RELEASES (ADVERTISEMENTS)

FOCUS YOUR IT RESOURCES

Learn how better infrastructure management practices can speed the integration of e-business enterprises, while providing assurance of continuous availability, flexibility and scalability. Get the IBM white paper, "Infrastructure Resource Management: A Holistic Approach," at
http://www.ibm.com/e-business/playtowin/n339

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you read the End User License Agreement (EULA) before you install new software?" Here are the results (+/

2 percent) from the 540 votes:

3% Always

19% Sometimes

31% Rarely

46% Never

NEW INSTANT POLL: USING SAML

The next Instant Poll question is, "Do you use Security Assertion Markup Language (SAML) for security in your Web applications?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, c) Not yet, but we will, d) No—We use Extensible Rights Markup Language (XrML), and e) No—We use other security technology.
http://www.secadministrator.com

7. SECURITY TOOLKIT

VIRUS CENTER

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

FAQ: HOW CAN I CLEAR MY CUSTOMIZED FOLDER SETTINGS IN WINDOWS XP?

(contributed by John Savill, http://www.windows2000faq.com)

A. To clear any customized folder settings, perform the following steps:

1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell registry subkey.
3. Delete the Bags and BagMRU subkeys.
4. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam registry subkey.
5. Delete the Bags and BagMRU subkeys.
6. Close the registry editor, then reboot the machine for the changes to take effect.

8. NEW AND IMPROVED(contributed by Judy Drennen, products@winnetmag.com)

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to
whatshot@winnetmag.com.

Featured Thread: Securing Servers Under Insecure Conditions
(Eight messages in this thread)

A user writes that he has a client who has servers located in facilities without locked rooms. Some of the servers run Windows NT 4.0 and some run Windows 2000. He wonders how to secure servers at these sites when he can't physically lock the server in a room. Read the responses or lend a hand at the following URL:
http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=49147

A user writes that he has two Windows 2000 servers. One of them is the PDC and the other is a BDC. The PDC suffered a hard drive error. He wonders how to promote the BDC to take the PDC's place. Because there are no PDCs or BDCs in Win2K, you'll want to read what other users have said or lend a hand at the following URL:http://63.88.172.96/listserv/page_listserv.asp?A2=IND0211A&L=HOWTO&P=1861

10. CONTACT US
Here's how to reach us with your comments and questions:

ABOUT IN FOCUS — mark@ntsecurity.net

ABOUT THE NEWSLETTER IN GENERAL — lettersn@winnetmag.com(please mention the newsletter name in the subject line)